Korean matchmaking service Duo fined over £600,000 over sensitive member data breach

Korean matchmaking company Duo has been fined over £600,000 by the country’s data protection watchdog for failing to secure the data of over 427,000 customers during a breach incident in early 2025.

 

The Personal Information Protection Commission, South Korea’s information security watchdog, announced on Thursday that it had imposed a penalty of 1.197 billion won, or £600,000, and an administrative fine of 13.2 million won, or £6,000, on the marriage brokerage service for a significant data breach incident that compromised customers’ personal information.

 

The incident occurred in January 2025 when a malicious actor gained access to a Duo employee’s work computer and used infostealer malware to access database server account information. Using the stolen credentials, the threat actor accessed Duo’s member database server and exfiltrated the personal information of as many as 427,464 members before leaking the stolen data on the dark web.

 

According to PIPC, the compromised information contained members’ login IDs, passwords, names, dates of birth, resident registration numbers, gender, email addresses, phone numbers, addresses, educational background, physical characteristics such as height, weight and blood types, relationship status, and professional information.

 

Duo is South Korea’s largest marriage brokerage service, offering high-end, data-driven matchmaking services to help members find their perfect match based on economic status, income, net worth, educational background, professional achievements and physical characteristics.

 

The matchmaking platform requires registered members to answer 165 questions about themselves, their preferences, their finances, future prospects, professional achievements, physical characteristics and their likes and dislikes to find a perfect match in a competitive society where economic status and appearances are essential to get married. 

 

The wealth of information provided by members can quickly turn into a privacy nightmare if malicious actors get their hands on highly-sensitive personal, financial and health data and sensitive topics like sexual preferences and what people want from their partners.

 

The information watchdog found that Duo violated the Personal Information Protection Act by failing to apply secure encryption algorithms to resident registration numbers and passwords and failing to apply security measures to restrict access after multiple failed login attempts to member databases that stored members’ sensitive information.

 

The watchdog found that the marriage brokerage service failed to destroy as many as 298,556 personal data records that ought to have been destroyed after the retention period of five years had expired. The company was also found guilty of collecting and storing members’ resident registration numbers without legal basis.

 

"It was confirmed that Duo delayed reporting the leak for 72 hours without justifiable reason despite confirming the leak, and due to the nature of a marriage brokerage company, it collects a large amount of sensitive information containing a person’s life and tendencies, such as education, religion, and workplace, as well as basic personal information of suitors, and has been negligent in responding to prevent secondary damage, such as failing to notify the data subjects of the fact of the leak even to this day despite the information being leaked," the watchdog said.

 

PIPC has directed Duo to immediately notify all affected members about the data breach incident, publish information about the significant data leak on its operating website, and strengthen its information security protocols to prevent a similar incident from occurring in the future.

 

Following PIPC’s announcement, the marriage brokerage service published an apology letter on its website, stating that "we bow our heads in deep apology to our members who have placed their trust and affection in DUO, for causing you such distress."

 

In its message, Duo said the breach occurred on January 28, 2025, and it quickly reported the incident to the Korea Internet & Security Agency and other agencies and implemented technical measures to prevent further leakage of members’ data.

 

The company added that in compliance with PIPC’s directions, it has deleted all resident registration numbers and has implemented corrective measures to strengthen the security of its information systems. It has also committed to begin notifying all affected members individually once it receives an official notification of results from PIPC.